On Mon, Apr 02, 2007 at 07:45:08AM -0700, David Conrad wrote:
>
> Hi,
>
> >Wouldn't the holder of these keys be the only ones able to spoof
> >DNSSEC?
>
> Yes. This is an assumption of DNSSEC, regardless of who signs the
> root. The implication of this (and the fact that emergency key
>
David Conrad wrote:
> the fact that emergency key rollover requires everyone on the planet
> with a validating resolver to update the root trust key manually
this, in itself, is infeasible and a showstopper.
randy
Hi,
Wouldn't the holder of these keys be the only ones able to spoof
DNSSEC?
Yes. This is an assumption of DNSSEC, regardless of who signs the
root. The implication of this (and the fact that emergency key
rollover requires everyone on the planet with a validating resolver
to update
role through S&T's
work in this space.
If Doug is lurking out there he can provide much more info or insight into
this.
Jerry
- Original Message -
From: <[EMAIL PROTECTED]>
To:
Sent: Monday, April 02, 2007 4:23 AM
Subject: RE: America takes over DNS
The US De
> > [unicity of names] does not exist in DNS unless you take an
> > extremely narrow technical view.
>
> I thought that NANOG was for extremely narrow technical
> discussions. For bold "We will replace the DNS and IP while we're at
> it" discussions, there are other forums :-)
Yes, I was suprise
> Problems I can see with this would be when someone on the P2P begins
> injecting false data into a stream. How would the mesh be
> structured so
> as to avoid this.
There is a lot of literature about P2P networking in its many
variations. The nice thing is that it is mostly freely available
On Mon, Apr 02, 2007 at 01:09:48PM +0200,
Peter Dambier <[EMAIL PROTECTED]> wrote
a message of 85 lines which said:
> The Racines Libres have failed?
>
> There are so many out there that we cannot count them any longer.
That's true. Dozens of first-year CS students have set up one and then
t
On Mon, Apr 02, 2007 at 12:23:43PM +0100,
[EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote
a message of 58 lines which said:
> [unicity of names] does not exist in DNS unless you take an
> extremely narrow technical view.
I thought that NANOG was for extremely narrow technical
discussions. For bol
[EMAIL PROTECTED] wrote:
Very interesting because it is the second story on the list this weekend
which highlights that DNS domain registries (and ultimately the root
zone) are a single point of failure on the Internet. Wouldn't the holder
of these keys be the only ones able to spoof DNSSEC? And
> > It is probably time to start looking at alternative naming
> > systems. For instance, we have a much better understanding of P2P
> > technology these days and a P2P mesh could serve as the top level
> > finder in a naming system rather than having a fixed set of roots.
>
> The only serious (?
The Racines Libres have failed?
There are so many out there that we cannot count them any longer.
I think the only failure is the "single point of failure root".
They have failed to be trustworthy.
It is so easy, get a copy of a trustworthy root-zone and run
your own root. From time to time
On Mon, Apr 02, 2007 at 09:23:32AM +0100,
[EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote
a message of 46 lines which said:
> It is probably time to start looking at alternative naming
> systems. For instance, we have a much better understanding of P2P
> technology these days and a P2P mesh could
> The US Department of Homeland Security (DHS) ...
> wants to have the key to sign the DNS root zone
> solidly in the hands of the US government.
> This ultimate master key would then allow
> authorities to track DNS Security Extensions
> (DNSSec) all the way back to the servers that
> represent t
On Sun, 1 Apr 2007, David Conrad wrote:
>
> Hi,
>
> On Apr 1, 2007, at 6:54 AM, J. Oquendo wrote:
> > Summary:
>
> Confusion resulting from hearsay and extrapolations.
>
> > The "key-signing key" signs the zone key, which is held by VeriSign.
>
> Except that the root zone hasn't been signed a
Hi,
On Apr 1, 2007, at 6:54 AM, J. Oquendo wrote:
Summary:
Confusion resulting from hearsay and extrapolations.
The "key-signing key" signs the zone key, which is held by VeriSign.
Except that the root zone hasn't been signed and there are no plans I
am aware of do so (and I think I'd p
15 matches
Mail list logo
